Search form

European Union

European Union

Current Status: The EU Data Retention Directive (DRD), adopted by the European Union in 2006, is the most prominent example of a mandatory data retention framework. The highly controversial Directive compels all ISPs and telecommunications service providers operating in Europe to collect and retain a subscriber's incoming and outgoing phone numbers, IP addresses, location data, and other key telecom and Internet traffic data for a period of 6 months to 2 years. This applies to all European citizens, including those not suspected or convicted of any crime. Pushed through by powerful U.S. and U.K. government interests, the DRD forces services providers to retain traffic data revealing who communicates with whom by email, phone, and SMS, including the duration of the communication and the locations of the users. The data is often made available to law enforcement.

In March 2011, the law transposing the EU Directive in the Czech Republic was annulled by the country’s constitutional court. Lithuania's law implementing the Directive was declared unconstitutional before the law took effect. Hungary's implementation of the directive is still under review by the Constitutional Court of Hungary. Some members of the European Union have refused to adopt the DRD into their national laws. In addition to Germany, Sweden continues to delay the implementation of the DRD. The European Commission has referred Sweden back to the European Court for failing to transpose the EU legislation into national law. In Slovakia, the NGO EuropeanInformationSocietyInstitute is opposing the Slovakian data retention implementation law.

Public Discussion: Since its passage, the EU Data Retention Directive has faced intense criticism and has an uncertain future. The Directive has been opposed by lawmakers in the European Parliament who argue that it fosters a surveillance society and undermines fundamental rights. While it has been integrated into national laws, legal fights against the DRD continue. An Irish constitutional challenge against its 2009 data retention law has been referred to the European Court of Justice (ECJ). The ECJ may decide on the legality of the overall Directive, which can have implications throughout the European Union.

The European Commission is carrying out an impact assessment of the Directive and has announced its intention to propose a revision. Leaked documents confirm that the Commission is seeking to create evidence supporting the need for a DRD scheme in the EU and unnamed parties are seeking to broaden the uses of DRD to include prosecution of copyright infringement. In April 2011, the Commission published an evaluation report of the DRD that revealed inconsistencies with how EU members implement the legislation and which authorities can access the data. The European Data Protection Supervisor (EDPS) criticized the report, arguing that the Commission has failed to demonstrate that the DRD is necessary and proportionate. Under the EU Charter on Fundamental Rights, the Directive will only be legal if both requirements are met. According to EDPS, the Commission has not demonstrated that data retention could have been regulated in a less privacy-intrusive way. EDPS also charges that the Directive leaves too much leeway for Member States to decide how the data is used, who can access the data and under what conditions.

Opponents are demanding that the Commission provideevidence that in the absence of a mandatory data retention law, traffic data crucial to the investigation of a "serious crime" would not have been available to law enforcement. They are also calling for a system of oversight that allows citizens to monitor the impact of DRD on their privacy. European Digital Rights (EDRI), a Brussels-based NGO, along with EFF and AKVorrat is fighting to repeal the DRD in favor of targeted collection of traffic data. EFF supports EDRI’s position urging the Commission to overturn the DRD and stop the ongoing violation of 500 million innocent Europeans. This action would prevent Member States from using the Directive to legally justify massive collection and overbroad use of personal data.

Related Updates

EFF, Amnesty International, Color of Change, the Center for Democracy and Technology, and our other coalition partners are urging data brokers to take a stand against government surveillance and discrimination based on religion, national origin, and immigration status.
As explained in a joint statement released today, data brokers collect and...

But according to Eva Galperin, a global policy analyst for the Electronic Frontier Foundation, "the tech giants show no signs of complying — not Google, not Facebook, not Twitter."
Galperin expects these large U.S.-based companies to treat the new law's mandates as they did the data localization requirements ...

It’s been a rough month for Internet freedom in Russia. After it breezed through the Duma, President Putin signed the “Yarovaya package" into law—a set of radical “anti-terrorism” provisions drafted by ultra-conservative United Russia politician Irina Yarovaya, together with a set of instructions on how to implement the new rules...

Over the last few months, Pakistan's Internet community has been fighting to stop the passage of one of the world's worst cyber-crime proposals: the Prevention of Electronic Crimes Bill (PECB). Thanks in part to the hundreds of messages sent to Pakistan's senators, they secured a major victory this week—public...

In a disappointing decision, Mexico’s Supreme Court rejected a challenge to Mexico’s Ley Telecom data retention mandates and its lack of legal safeguards. The challenge, or writ of amparo—a remedy available to any person whose rights have been violated—was filed by R3D.mx on behalf of a coalition of...

The Supreme Court of Justice of Mexico (SCJN) is about to issue its decision on an injunction against a provision of the Federal Telecommunications Act (also known as Ley Telecom) that requires telephone companies and internet service providers to retain data about their users’ communications for a period of 24...

It is a truth universally acknowledged that a government, in the wake of a national security crisis—or hostage to the perceived threat of one—will pursue and in many cases enact legislation that is claimed to protect its citizens from danger, actual or otherwise. These security laws often include wide-ranging provisions...